Tamas TEVESZ wrote:
hi,
i think i'm missing something on filtering on the enc interface. scenario looks as:
left secgwA right [internal lan] -- [xl0 tun0] -- ~~ -- [secgwB] -- [other lan]
secgwA is a 3.5-stable built on jun 15 (ie. it doesn't have the pf fix that went in the tree on jul 16). on the "right" lan there is an mssql server on 10.80.99.10, and on the left lan there's a client on 192.168.63.4 that needs to access said server. all that needs to be passing through the tunnel is this single connection. secgwB is probably some nortel contivity thing (i wasn't told exactly what it is, but from mail bits i suppose so). secgwA handles only this one ipsec tunnel.
a.b.c.142 is the address of secgwA's tun0 interface, d.e.f.2 is the address of secgwB's internet-facing interface.
i'm trying to set up filtering on enc0 so that only the above-specified connection may get through, but i'm seeing phenomena i don't really understand (and thus, i'm probably naming several things inappropriately, for i lack a better/proper name for them. i'm trying to be as clear as i can, though, please bear with me).
in its simplest form, my pf.conf looks like this:
===== scrub in all fragment reassemble scrub out all fragment reassemble pass quick on lo pass quick on xl0 pass quick on tun0
block log on enc0
pass out log on enc0 proto tcp from 192.168.63.4 to 10.80.99.10 port = 1433 flags S/SA keep state
========
Add "pass in on enc0 proto ipencap all" all and it should work. That's an old problem with OpenBSD IPSec code. Cedric
